Emotet Malware Network Experiments with Novel Methods Following International Takedown Efforts
Emotet, one of the most prolific botnets in recent history, has resumed activity after a brief quiet period, according to security researchers at Proofpoint. This marks the first activity from Emotet since it reemerged in November 2021.
The new activity involves the use of OneDrive URLs and Microsoft Excel add-in (XLL) files to drop Emotet malware onto target computers. In a quiet period this month, the threat actor sent out emails containing OneDrive URLs that hosted zip files containing XLL files, which, upon opening, would install the Emotet malware.
Emotet has a notorious history, having been linked to the threat actor TA542 or Mummy Spider. It was previously used to deploy TrickBot malware, another potent threat, and ransomware. According to the Department of Justice, the damage caused by Emotet is estimated to have cost hundreds of millions of dollars.
In January 2021, an international coalition of law enforcement agencies, including the FBI, the Dutch National Police, and numerous other agencies across Europe, disrupted the Emotet botnet. However, the law enforcement action disrupted the Emotet activity but did not completely shut down the operation. Since November 2021, the renewed activity of the Emotet botnet spreading Emotet malware via emails has been operated by cybercriminal groups linked to the original Emotet operators.
Microsoft has taken steps to combat the threat posed by Emotet. In April, the tech giant announced it would begin blocking Visual Basic for Application macros by default. The company also announced plans to disable XL4 macros in July 2021. These measures aim to prevent the execution of malicious code that could be embedded in Excel files, a common method used by Emotet and other malware.
Emotet has compromised more than 45,000 computers in the U.S. alone, and at the time of the international crackdown, it had infected more than 1.6 million computers globally. The threat actor behind the Emotet botnet is testing new techniques for a potential high-volume campaign, posing a significant risk to computer systems worldwide.
Emotet is included in a cybergroup advisory by the Cybersecurity and Infrastructure Security Agency as a Russia-aligned cybergroup. As the threat actor continues to evolve and adapt its tactics, it is crucial for individuals and organisations to remain vigilant and take necessary precautions to protect their systems from this persistent and dangerous threat.
